2017 Annual Florida Bar Convention: Insuring Against Cybersecurity Risks and Privacy Perils

Episode Notes

Transcript

The Florida Bar Podcast

2017 Annual Florida Bar Convention: Insuring Against Cybersecurity Risks and Privacy Perils

06/22/17

[Music]

Intro: Welcome to The Florida Bar Podcast, where we highlight the latest trends in law office and law practice management to help you run your law firm, brought to you by The Florida Bar’s Practice Resource Institute. You are listening to Legal Talk Network.

[Music]

Christine Bilbrey: Hello and welcome to the Florida Bar Podcast brought to you by The Practice Resource Institute on Legal Talk Network. This is Christine Bilbrey recording from the 2017 Annual Florida Bar Convention in Boca Raton, Florida. Thank you for joining us today.

I have some special guests for this special edition of The Florida Bar Podcast and we’re going to be talking about cyber security risks and insurance to protect your firm.

I have three guests today. I have Chip Trefry Jr. He is the president and CEO of Member Benefits located in Jacksonville. Florida member benefits administers The Florida Bar Member Benefits Insurance and retirement programs as well as other association programs nationwide and I know that they are going to be looking into adding cyber security for our members going forward.

I also have Scott Reid. Scott is a national director of cyber insurance for Gallagher Infinity Insurance Services and he also serves as the current director of risk management for The American Cyber and Data Security Alliance.

My third guest is Jacey Kaps. He is a partner at Rumberger, Kirk & Caldwell in Miami where he’s an experienced civil litigator and legal adviser for the retail and hospitality sector and I know I’m going to start with you Jacey. This is really your area that you focus on at your firm so tell our listeners what did you talk today about in the CLE, what do you bring to the table on this topic?

Jacey Kaps: Thanks Christine. I appreciate you asking that right out of the blocks. What we talked about is viewing data protection and cyber protection as a security issue and the analogy that we use was considerate along the lines locking your doors. It is a modern day version of that with the added nuance that Scott brings into it and brought up about, also having internal risks.

So, we tried to create a picture of the visual way in which your data can be attacked, the visual way in which you can experience these various exploits and we actually had an image behind us when we’re talking that was a recording of one minute, only one minute of a real-time set of attacks against our law firm and I think people who responded to that, reacted to it were blown away by how many attacks were going on in this frame of one minute and it was in the hundreds and people came up afterwards and talked to me about that having an impact on them from a visual standpoint, so we talked about that 03:04.

Christine Bilbrey: And this is definitely something that is keeping attorneys up at night and if it’s not, I hate to say it but it probably should be, you should be, if you’re not tech savvy yourself, you need to really be getting a reliable expert to come in and take a look at your system and what’s going on and so Scott, what did you talk about today?

Scott Reid: I talked specifically about insuring that risk, just as Jacey you mentioned, locking up the information, if that information — that lock gets broken and someone comes in and steals it, there’s an exposure there, a financial exposure as well as a liability exposure that needs to be insured and most practitioners insure other things in their business if they have a building, they buy general liability insurance for the building, they buy a professional liability for an error or an omission and they need to look at insuring the other parts of their business which includes cyber and data risk.

Christine Bilbrey: And for attorneys, this has even kind of an enhanced risk to it because of the ethical requirements placed on them because of the confidential data, all the personal personally identifiable information and so when we get to the insurance, I think a lot of times people just want to sign up, just give me some of that cyber security insurance but when we’ve looked into it more a PRI, we realized that there’s a difference that you could get insurance for a breach, you can get insurance for an incident, there’s different things.

Can you talk about what you know specifically they should be getting, so if their clients need to get credit protection down the road, what are some of the different types of insurance that are available to attorneys?

Scott Reid: Well I think the insurance is an important part of a three-pronged strategy. They need to take steps to try to prevent the breach from happening to start with and then they need to know how to respond to the breach in the event that it does happen.

(00:04:56)

So the insurance is designed to provide a financial backstop to pay for the cost that would be inflicted on the practice for having that breach happen and because cyber insurance is relatively new, there are lots of different policies out in the marketplace right now and as you mentioned, that’s created a little bit of confusion about what is the insurance and what does it cover.

And one of the first kind of critical components to look at is cyber in it breach, and data breach are actually two different types of transactions or incidences. You can have a data breach which means information was either lost or inadvertently misplaced or stolen. It could be paper files, it could be flash drives, it could be lost cell phones and laptops.

That is a different type of loss than a traditional cyber breach which is more of a hacker getting into your systems and either stealing the information or perhaps holding it ransom, so one of the first key elements we want to make sure that everyone carries is both cyber and data breach insurance which is a more comprehensive policy.

Christine Bilbrey: Okay and so Chip and I were talking right before we started recording about I had recently had an expert say to me once you stop getting the spear phishing emails that probably means they’re already in your system and to me that’s terrifying.

And so if someone is calling you up and saying I need this insurance, do you have people that have already, that are worried that it’s already happened that are trying to patch it together or are you recommending, you tell me that your company will actually test ahead of time.

So tell me what an attorney should be doing when all these things are happening in their mind. So, if I don’t think I’ve been breached but I want to do the right thing, what would you tell me?

Scott Reid: The program that we’re developing right now would be first to test yourself, that would be the first step to get some idea of how vulnerable you might be, are you the lowest lying fruit that is out there that’s easily hacked. Once you determine that and in a lot of cases the smaller firms are going to be very vulnerable.

And secondly, you can continue to test yourself when you find out, you can find out what you need to do to improve, make it less likely that you would be attacked and secondly you can continue to monitor that and there’s a program where you can pay a monthly fee depending on the size of your firm and your revenue that you’re constantly being monitored that people are calling in and talking to your staff and seeing what emails they open and see where they go and then training, in-house training, with the staff to teach them how to prevent these attacks from happening.

And then no matter what you do, you still could have liability and you so therefore you have to have the insurance or you should consider the insurance and so we’ve put together with Scott, several carriers that would be on an exchange platform that’s the Florida Bar Member Benefit Exchange, where you can choose and match yourself up with the proper insurance.

And then last forth is that even with the insurance and everything else you’ve done, it still could happen and your data could get encrypted. How do you get it back? You have to store it properly in the off-site storage and who you use is crucial to the whole 08:13 approach and we’re hoping we’ll be able to have this program available for members of the Florida Bar very, very soon.

Christine Bilbrey: Great because we talked about before, even if you know you need it, you don’t want someone’s either recommendation you got with someone’s brother-in-law that knows a little bit about IT, you don’t want to go that route. You want it and at the Florida Bar obviously, we want to be able to direct our members to someone that’s going to do the right thing for them? Jacey how are they getting in? What’s the most common way they’re getting into the law firms?

Jacey Kaps: Oh boy, there’s again you could go back to that video that kind of showed how much attacking is just going on in a single minute. There are so many different ways and so many different access points. We talked about a case example involving ransomware and we don’t know exactly how the ransomware was introduced into this law firm’s system but once it got in, the results were devastating for the law firm.

Really effectively as we understand it from this example that we’re still learning about recent one, the law firm is kind of out of business who are shut down temporarily at the moment. So I would say and I know Scott’s talked about this as well when we spoke, internal introduction of these risks, proper training to avoid that, that’s a big key factor. That is a big way in which problems are being introduced into the system.

Someone is opening a malicious email. Someone is actually and it amazes me and it happens every day, all over the place, people are opening up attachments to emails. Those are really principally to me those are the fundamental risks that law firms need to think about and need to address but also they need to as Scott and Chip we’re talking about protect against.

(00:10:04)

You are protecting yourself, you’re protecting your clients and growing in this environment, we’re seeing clients demand that. They’re aware of these risks and we just enumerated one ransomware risk.

Our clients are aware of these risks and they expect when it comes to our practices and there’s an ethical component too that was discussed during the presentation that we deliver the best representation that we can, that we protect the data the best way we can and there’s a growing recognition of just how critical this is.

Christine Bilbrey: And it used to be that when you would get these spear phishing emails, there would be like grammar mistakes or typographical errors, so you could pick them out. Now they’re sending them out and they are exactly, there are flawless emails and it’s made me so paranoid. Jonathan, my director at PRI, his office is right next to mine and literally if he sends me something with a link or an attachment, I will lean out and say, Jonathan did you just send me an email because I click on nothing.

I go to the website now. If I get something and I’m pretty sure that it came from my own bank or my own insurance company. I still go outside and type in the actual web address to go there. I just have stopped clicking on anything so and you do have to train your staff. They are going to click on those things because they don’t want to disturb the attorney and take up time doing that. So, they’re taught to be efficient, so that’s definitely a challenge.

The other thing that comes up with our members is expense. If I’m a solo or I’m a small firm, Scott is this affordable and I obviously when you need it, it’s going to be priceless but are there plans that are going to be geared to those smaller firms?

Scott Reid: Absolutely and the small business owner and specially the small practitioner is actually the number one target of the cyber criminals because they know that the practitioner may not have a very complex IT infrastructure and they have no security protocols in place or have done the proper training, so we want to make sure that we built a policy that was easy for the small practitioner to obtain both from a price perspective but also from a just an acquisition perspective.

Meaning there’s a lot of insurance policies that are out there that are very complex to buy. The application is very lengthy, lots of questions about IT protocols and how the company is structured and so if it’s so cumbersome to buy or too expensive to buy and it’s really not a good option for the numbers.

So, we built a program that has a very low price point. Attorneys can get in for as little as three or four hundred dollars and it’s also made available on Chip’s platform which is all online, so it’s a very easy application process. From start to finish, they can go online, fill out a few questions, see what the rate is, what the coverages are and if they like the coverage, they can actually buy it right then and download the policy and have it effective the same day.

Christine Bilbrey: And I want to let our listeners know that all three of my guests today spoke at a CLE here in Boca Raton. So if you want to know more about this, you’ll be able to go to the Florida Bar website or the young lawyers division and actually you could download the whole CLE to get more information but I want to ask each of you, if our listeners want to reach out to you or someone at your companies, are you on social media, is there website address, how can they reach you?

Chip Trefry: You can go on to The Florida Bar website. You’re going to see The Florida Bar Member Benefit Insurance and retirement programs or you’re going to see the Florida Bar Private Insurance Exchange. They’re the same thing. When you go in there, there’s a multiple of products all the way from travel to health insurance and most of the people to go in there and looking for health insurance but there’s life, there’s disability, there’s 401 K Plans and then there’s most of the products you can go and just apply for them right online.

Christine Bilbrey: Oh! Wow okay.

Chip Trefry: A lot of people want to talk to our counselor, so we do have counselors available that specialize in the different products. This product, the cyber product, is 14:00 for the cyber program because it’s not just the product, it’s a whole program. It is not up yet. We hope we’re going to have it up within a week or two.

Christine Bilbrey: That’s great.

Scott Reid: And on my side, I work specifically with purchasing groups, trade associations, and organizations like the Bar, so we don’t work directly with independent sole practitioners, but we can be accessed through the member benefits portal as well.

Christine Bilbrey: Oh okay and do you have a blog or…

Jacey Kaps:  A blog pod, but we are a Florida-based law firm and Rumberger Kirk & Caldwell has a website. I also have a LinkedIn page. I write on the subject, so you could google my name, go to the web page, whatever you prefer go to LinkedIn, you’ll find plenty of information about me, a passion for this subject and how important I think it is.

Christine Bilbrey: Well, I want to thank all of you. This has been very helpful. I like personally getting this information but especially for our listeners, I appreciate that all The Florida Bar members.

(00:14:59)

This has been another edition of The Florida Bar Podcast, brought to you by The Practice Resource Institute on Legal Talk Network. I want to thank our guests for joining us. If you liked what you heard today, please find us and rate us in iTunes. I’m Christine Bilbrey, until next time thank you for listening.

[MUSIC]

Outro: Thanks for listening to The Florida Bar Podcast, brought to you by The Florida Bar’s Practice Resource Institute and produced by the broadcast professionals at Legal Talk Network. If you’d like more information about today’s show, please visit legaltalknetwork.com. Subscribe via iTunes and RSS.

Find the Florida Bar, The Florida Bar Practice Resource Institute and Legal Talk Network on Twitter, Facebook, and LinkedIn or download the free app for Legal Talk Network in Google Play and iTunes.

The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice, as always consult a lawyer.